Analysis
-
max time kernel
140s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe
Resource
win10v2004-20240226-en
General
-
Target
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe
-
Size
1.3MB
-
MD5
59d981ed9028d3247ef3fca52e62b117
-
SHA1
e3e3d5233b2665cfdba8caac7ce36b46250bc0f6
-
SHA256
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d
-
SHA512
7f3501e07048a11e6df67806d67fa7078cb798267b944b0269dbe7b80730d1258104d74fc4e5512316624034148116c7020972ac6c3ba3d176e9c78264d17c5c
-
SSDEEP
24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aQ1CCjqxkKqTBAEnLrhX:4TvC/MTQYxsWR7aQ8Cmx5qrh
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7098045317:AAG_bq6J7neFFo87IXHfNBxKyzNKV56RSAA/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/908-56-0x0000000004AB0000-0x0000000004B08000-memory.dmp family_zgrat_v1 behavioral2/memory/908-58-0x0000000004B50000-0x0000000004BA6000-memory.dmp family_zgrat_v1 behavioral2/memory/908-60-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-68-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-120-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-118-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-116-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-114-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-112-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-110-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-108-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-106-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-104-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-100-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-98-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-96-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-94-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-93-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-90-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-88-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-86-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-84-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-82-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-80-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-78-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-74-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-72-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-70-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-66-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-64-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-62-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-102-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-76-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 behavioral2/memory/908-59-0x0000000004B50000-0x0000000004BA1000-memory.dmp family_zgrat_v1 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZQjTZ = "C:\\Users\\Admin\\AppData\\Roaming\\ZQjTZ\\ZQjTZ.exe" RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exedescription pid Process procid_target PID 2196 set thread context of 908 2196 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 97 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegSvcs.exepid Process 908 RegSvcs.exe 908 RegSvcs.exe 908 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exepid Process 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2196 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 908 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exepid Process 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2196 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2196 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exepid Process 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2196 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 2196 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid Process 908 RegSvcs.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exeb48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exedescription pid Process procid_target PID 536 wrote to memory of 4980 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 91 PID 536 wrote to memory of 4980 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 91 PID 536 wrote to memory of 4980 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 91 PID 536 wrote to memory of 4016 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 92 PID 536 wrote to memory of 4016 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 92 PID 536 wrote to memory of 4016 536 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 92 PID 4016 wrote to memory of 2316 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 93 PID 4016 wrote to memory of 2316 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 93 PID 4016 wrote to memory of 2316 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 93 PID 4016 wrote to memory of 2080 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 94 PID 4016 wrote to memory of 2080 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 94 PID 4016 wrote to memory of 2080 4016 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 94 PID 2080 wrote to memory of 4384 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 95 PID 2080 wrote to memory of 4384 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 95 PID 2080 wrote to memory of 4384 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 95 PID 2080 wrote to memory of 2196 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 96 PID 2080 wrote to memory of 2196 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 96 PID 2080 wrote to memory of 2196 2080 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 96 PID 2196 wrote to memory of 908 2196 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 97 PID 2196 wrote to memory of 908 2196 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 97 PID 2196 wrote to memory of 908 2196 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 97 PID 2196 wrote to memory of 908 2196 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"2⤵PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"3⤵PID:2316
-
-
C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"4⤵PID:4384
-
-
C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:908
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3896 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:5064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD5bfd0a24603de75fbdc525aae0f0c7823
SHA11c26cdb7b35452bf41b0fd9160acf8e5848a8b93
SHA256531af262fb42e94c46b27f1e7901fcd974f0ca7a7ca3f622e122494dca8997c1
SHA5124588be1d3def44af913ac9492a0ae164602b71155fc6cd6f42ce79cc7623e46df412b15b103d83f3f547be56387e07f17f574fb04dd2c84bd8f084b8df842fb6
-
Filesize
9KB
MD5526e21e37285848fdde117dfcee5781c
SHA1cf5a492e49ce089e1d22e6c889bdb37a47f7fb9c
SHA256d01335bb57a5afe6e6ac69dab32d8003133f22fa89ae7c91dec8b1209de7aa2f
SHA512f579ff96507a17684905198b20ac3348e131e585296c54bf14ffd4bd8298a6feea011f41f7fe5a246be217309a66a3b4af2eaf253b256eb165e4afebc5a1f3d7
-
Filesize
29KB
MD5313f065560ff4c5ec2331f20ba62cb3e
SHA17888da3ec7abf884b97bfcff7477b699ff30c237
SHA256986f7f07d819a17795a7cbd79a664195664ac6ff7e835a95cd825e83e9e7ef32
SHA51239dd8ce26003a2921fcff79149e47a71a43a716d99392d0e870330c95f5ebbfe3aa304fe75be0a095c4bdd011f76c5d4b7ac6efda2efe5adeb3ccfa7c1e9fc64